Improve Your Information Security Quickly, Easily and CHEAPLY - Part 1

By: (CISA, CISSP)

Publication: The Colorado Banker , May/June 2009

In today's climate of enormous economic turmoil and tightening budgets, an ever-expanding information security threat landscape and additional regulatory oversight, how would you like to strengthen your bank's information security with a minimal amount of time or expense? Thought you'd say that.

Reconfigure That Misconfigured Anti-Virus Software

After scores of Information Technology / GLBA 501(b) Audit and Assessments, virtually every audit report we write includes a finding about ineffective implementation of antivirus software. Since protection against malicious software is one of a bank's primary defenses, this finding is typically classified as a highrisk finding. Antivirus software installed on bank workstations and servers should be managed by a centralized management console installed on one of the bank's servers. In fact, the ability to consistently configure and effectively manage antivirus software across a bank's network actually depends on this type of implementation.

Assuming your bank has already purchased and installed antivirus software on all its servers and workstations, the following configuration tips will help to maximize the protections afforded by your bank's investment in antivirus software.

  1. Configure antivirus protection components such that they cannot be disabled by workstation users. Most antivirus software provides several elements of protection including real-time (active) scanning of fi les written to / read from the disk, email protection, and scheduled scans of every fi le on the local hard drive. The centralized management console should allow the system administrator to "grey out" any on/off switches for these protection components so users cannot defeat the antivirus protection by turning it off.
  2. Audit all systems regularly to ensure they have received virus definition updates and have not dropped off the centralized management console's radar. For "unknown" reasons, client computers (workstations and servers other than the server on which the antivirus centralized management console is installed) frequently fall out of the management console. Therefore, a master list of all workstations and servers should be compared to the list of computers in the centralized management console to ensure all systems are accounted for and are receiving virus defi nition updates.
  3. Configure the centralized management console to poll the antivirus vendor for virus definition updates hourly. Though virus definition updates are normally only published once daily, updates may be published several times in a single day in response to emerging threats. Bank systems would be unprotected against an emerging threat for as long as 23 hours if the centralized management console only polls the antivirus vendor once a day.
  4. Configure all client computers to poll the centralized management console hourly. If the centralized management console is configured to look for new virus definitions hourly, the clients should be looking to the management console hourly as well.
  5. Configure scheduled scans to be performed regularly on all workstations and servers. While the real-time scanning component of antivirus software should prevent virus infections, best practice is to configure scheduled scans of the entire hard drive at regular intervals, such as weekly. Because a scan of the whole disk uses a considerable amount of a system's resources, these scans should be scheduled after hours.
  6. Configure email notification of appropriate personnel when viruses are detected by either real-time or scheduled scans. Though the centralized management console should log infections detected on any systems, someone must review the logs to discover the detected infections. Notification by email will allow an immediate response.
  7. Confirm your antivirus solution includes antispyware and anti-adware protection. While the ramifications of spyware and adware on bank's systems are not as severe as a virus infection, bank systems should be protected against these threats as well.

On a related note, we detect computers on bank networks running unsupported operating systems with some regularity. Unsupported operating systems, such as Windows 95 and 98, Windows NT and Windows CE, are operating systems for which security patches are no longer available. Often, newer versions of antivirus protection will not run on these old operating systems. One unprotected system on a bank's network is the proverbial weakest link.

Of course, having computers on a bank's network which cannot be patched for newly discovered vulnerabilities and/or weak patch management is a significant issue, in and of itself. But, that's for another article.